[Entity Analytics][Privmon] Use default UUIDs for monitoring source saved objects#227420
Merged
hop-dev merged 6 commits intoelastic:mainfrom Jul 11, 2025
Merged
[Entity Analytics][Privmon] Use default UUIDs for monitoring source saved objects#227420hop-dev merged 6 commits intoelastic:mainfrom
hop-dev merged 6 commits intoelastic:mainfrom
Conversation
hop-dev
added
release_note:skip
Contributor
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
…/kibana into monitoring-source-id-gen
machadoum
reviewed
Jul 11, 2025
Comment on lines
+236
to
+249
| MonitoringEntitySourceNoId: | ||
| allOf: | ||
| - $ref: '#/components/schemas/MonitoringEntitySourceProperties' | ||
| - type: object | ||
| required: [type, name, managed] | ||
|
|
||
| MonitoringEntitySource: | ||
| allOf: | ||
| - $ref: '#/components/schemas/MonitoringEntitySourceProperties' | ||
| - type: object | ||
| required: [type, name, id, managed] | ||
| properties: | ||
| id: | ||
| type: string |
machadoum
approved these changes
Jul 11, 2025
Member
machadoum
left a comment
machadoum
left a comment
There was a problem hiding this comment.
Code LGTM!
I did not desk-test it.
Comment on lines
+280
to
+286
| /** | ||
| * | ||
| * | ||
| * @param {(Pick<AssetCriticality, 'idField' | 'idValue' | 'criticalityLevel'> & { | ||
| * refresh?: 'wait_for'; | ||
| * })} params | ||
| * @return {*} {Promise<AssetCriticalityRecord>} |
Member
There was a problem hiding this comment.
What is it for? It doesn't do anything to my editor 🤔
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
|
Starting backport for target branches: 9.1 https://github.com/elastic/kibana/actions/runs/16225554007 |
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
History
cc @hop-dev |
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 11, 2025
…aved objects (elastic#227420) ## Summary revert to using the default UUID generation for monitoring data source saved objects and remove any reference to temp-id. Previously we were generating the ID using the integration name or index name and the namespace, and also overriding this with temp-id. - remove temp-id refs - add ID param to the get and update routes URL - Remove the behaviour where the create API will update if the source already exists ## Testing Steps Taken from [elastic#221610](elastic#221610) - Pull branch into local machine - Security experimental flag enable: 'privilegeMonitoringEnabled' - Start up ElasticSearch and Kibana **1. Optional - create the default index, this should just skip if you don't make it.** ``` POST entity_analytics.privileged_monitoring/_doc { "user": { "name": "default name" } } ``` **2. Create test index/ indicies** ``` PUT /tatooine- { "mappings": { "properties": { "user": { "properties": { "name": { "type": "keyword", "fields": { "text": { "type": "text" } } } } } } } } ``` ``` POST tatooine-/_bulk { "index": {} } { "user": { "name": "Luke Skywalker" } } { "index": {} } { "user": { "name": "Leia Organa" } } { "index": {} } { "user": { "name": "Han Solo" } } { "index": {} } { "user": { "name": "Chewbacca" } } { "index": {} } { "user": { "name": "Obi-Wan Kenobi" } } { "index": {} } { "user": { "name": "Yoda" } } { "index": {} } { "user": { "name": "R2-D2" } } { "index": {} } { "user": { "name": "C-3PO" } } { "index": {} } { "user": { "name": "Darth Vader" } } ``` **3. Register Monitoring Entity Source Saved Objects** ``` POST kbn:/api/entity_analytics/monitoring/entity_source { "type": "index", "name": "StarWars", "managed": true, "indexPattern": "tatooine-", "enabled": true, "matchers": [ { "fields": ["user.role"], "values": ["admin"] } ], "filter": {} } ``` **- OPTIONAL: You can check what is in the monitoring entity_source SO:** ``` GET kbn:/api/entity_analytics/monitoring/entity_source/list ``` **4. Initialise monitoring engine:** ``` POST kbn:/api/entity_analytics/monitoring/engine/init {} ``` **5. Verify Users in Monitoring Index** - Check the list of synced user, should include: - - The created users - - The default user (if you created it) ``` GET kbn:/api/entity_analytics/monitoring/users/list ``` **e.g. output:** ``` [ { "id": "FkMJoZcB7muj1aiwb_eQ", "user": { "name": "C-3PO", "is_privileged": true }, "labels": { "sources": [ "index" ], "source_indices": [ "tatooine-" ], } }, { "id": "F0MJoZcB7muj1aiwb_eQ", "user": { "name": "Chewbacca", "is_privileged": true }, "labels": { "sources": [ "index" ], "source_indices": [ "tatooine-" ], } }, // ... more here ``` ## Testing: Removing Stale Users The engine should soft delete users from the internal index if they no longer appear in the synced sources - e.g. label as monitoring.privileged_users: "not_monitored" **Example:** - Delete users in index: ``` POST tatooine-/_delete_by_query { "query": { "terms": { "user.name": ["Chewbacca", "Han Solo"] } } } ``` - re-run engine init ``` POST kbn:/api/entity_analytics/monitoring/engine/init {} ``` -Fetch the updated user list: ``` GET kbn:/api/entity_analytics/monitoring/users/list ``` You should now only see both Chewbacca and Han Solo are no longer privileged: ``` // .. { "id": "GUMJoZcB7muj1aiwb_eQ", "user": { "name": "Han Solo" "is_privileged": false }, "labels": { "sources": [], "source_indices": [], } } ] ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit e26d309)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jul 11, 2025
…urce saved objects (#227420) (#227702) # Backport This will backport the following commits from `main` to `9.1`: - [[Entity Analytics][Privmon] Use default UUIDs for monitoring source saved objects (#227420)](#227420) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Mark Hopkin","email":"mark.hopkin@elastic.co"},"sourceCommit":{"committedDate":"2025-07-11T17:04:53Z","message":"[Entity Analytics][Privmon] Use default UUIDs for monitoring source saved objects (#227420)\n\n## Summary\n\nrevert to using the default UUID generation for monitoring data source\nsaved objects and remove any reference to temp-id. Previously we were\ngenerating the ID using the integration name or index name and the\nnamespace, and also overriding this with temp-id.\n\n- remove temp-id refs\n- add ID param to the get and update routes URL\n- Remove the behaviour where the create API will update if the source\nalready exists\n\n## Testing\n\nSteps Taken from\n[#221610](https://github.com/elastic/kibana/pull/221610)\n- Pull branch into local machine\n- Security experimental flag enable: 'privilegeMonitoringEnabled'\n- Start up ElasticSearch and Kibana\n\n**1. Optional - create the default index, this should just skip if you\ndon't make it.**\n\n```\nPOST entity_analytics.privileged_monitoring/_doc\n{\n \"user\": {\n \"name\": \"default name\"\n }\n}\n```\n\n**2. Create test index/ indicies**\n\n```\nPUT /tatooine-\n{\n \"mappings\": {\n \"properties\": {\n \"user\": {\n \"properties\": {\n \"name\": {\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"text\"\n }\n }\n }\n }\n }\n }\n }\n}\n\n```\n```\nPOST tatooine-/_bulk\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Luke Skywalker\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Leia Organa\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Han Solo\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Chewbacca\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Obi-Wan Kenobi\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Yoda\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"R2-D2\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"C-3PO\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Darth Vader\" } }\n\n``` \n**3. Register Monitoring Entity Source Saved Objects**\n```\nPOST kbn:/api/entity_analytics/monitoring/entity_source\n{\n \"type\": \"index\",\n \"name\": \"StarWars\",\n \"managed\": true,\n \"indexPattern\": \"tatooine-\",\n \"enabled\": true,\n \"matchers\": [\n {\n \"fields\": [\"user.role\"],\n \"values\": [\"admin\"]\n }\n ],\n \"filter\": {}\n}\n\n``` \n**- OPTIONAL: You can check what is in the monitoring entity_source\nSO:**\n\n``` \nGET kbn:/api/entity_analytics/monitoring/entity_source/list\n``` \n**4. Initialise monitoring engine:** \n```\nPOST kbn:/api/entity_analytics/monitoring/engine/init {}\n``` \n\n**5. Verify Users in Monitoring Index**\n- Check the list of synced user, should include: \n- - The created users\n- - The default user (if you created it)\n\n```\nGET kbn:/api/entity_analytics/monitoring/users/list\n``` \n\n**e.g. output:**\n\n```\n[\n {\n \"id\": \"FkMJoZcB7muj1aiwb_eQ\",\n \"user\": {\n \"name\": \"C-3PO\",\n \"is_privileged\": true\n },\n \"labels\": {\n \"sources\": [\n \"index\"\n ],\n \"source_indices\": [\n \"tatooine-\"\n ],\n }\n },\n {\n \"id\": \"F0MJoZcB7muj1aiwb_eQ\",\n \"user\": {\n \"name\": \"Chewbacca\", \n \"is_privileged\": true\n },\n \"labels\": {\n \"sources\": [\n \"index\"\n ],\n \"source_indices\": [\n \"tatooine-\"\n ], \n }\n },\n// ... more here \n\n```\n\n## Testing: Removing Stale Users\nThe engine should soft delete users from the internal index if they no\nlonger appear in the synced sources - e.g. label as\nmonitoring.privileged_users: \"not_monitored\"\n**Example:**\n\n- Delete users in index: \n```\nPOST tatooine-/_delete_by_query\n{\n \"query\": {\n \"terms\": {\n \"user.name\": [\"Chewbacca\", \"Han Solo\"]\n }\n }\n}\n\n```\n- re-run engine init\n\n```\nPOST kbn:/api/entity_analytics/monitoring/engine/init\n{}\n```\n-Fetch the updated user list: \n\n```\nGET kbn:/api/entity_analytics/monitoring/users/list\n```\nYou should now only see both Chewbacca and Han Solo are no longer\nprivileged:\n```\n// ..\n{\n \"id\": \"GUMJoZcB7muj1aiwb_eQ\",\n \"user\": {\n \"name\": \"Han Solo\"\n \"is_privileged\": false \n },\n \"labels\": {\n \"sources\": [],\n \"source_indices\": [],\n }\n }\n]\n```\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"e26d309535c1c5c1ebe1b6111e4438e08b065a7f","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Entity Analytics","backport:version","v9.1.0","v9.2.0"],"title":"[Entity Analytics][Privmon] Use default UUIDs for monitoring source saved objects","number":227420,"url":"https://github.com/elastic/kibana/pull/227420","mergeCommit":{"message":"[Entity Analytics][Privmon] Use default UUIDs for monitoring source saved objects (#227420)\n\n## Summary\n\nrevert to using the default UUID generation for monitoring data source\nsaved objects and remove any reference to temp-id. Previously we were\ngenerating the ID using the integration name or index name and the\nnamespace, and also overriding this with temp-id.\n\n- remove temp-id refs\n- add ID param to the get and update routes URL\n- Remove the behaviour where the create API will update if the source\nalready exists\n\n## Testing\n\nSteps Taken from\n[#221610](https://github.com/elastic/kibana/pull/221610)\n- Pull branch into local machine\n- Security experimental flag enable: 'privilegeMonitoringEnabled'\n- Start up ElasticSearch and Kibana\n\n**1. Optional - create the default index, this should just skip if you\ndon't make it.**\n\n```\nPOST entity_analytics.privileged_monitoring/_doc\n{\n \"user\": {\n \"name\": \"default name\"\n }\n}\n```\n\n**2. Create test index/ indicies**\n\n```\nPUT /tatooine-\n{\n \"mappings\": {\n \"properties\": {\n \"user\": {\n \"properties\": {\n \"name\": {\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"text\"\n }\n }\n }\n }\n }\n }\n }\n}\n\n```\n```\nPOST tatooine-/_bulk\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Luke Skywalker\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Leia Organa\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Han Solo\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Chewbacca\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Obi-Wan Kenobi\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Yoda\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"R2-D2\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"C-3PO\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Darth Vader\" } }\n\n``` \n**3. Register Monitoring Entity Source Saved Objects**\n```\nPOST kbn:/api/entity_analytics/monitoring/entity_source\n{\n \"type\": \"index\",\n \"name\": \"StarWars\",\n \"managed\": true,\n \"indexPattern\": \"tatooine-\",\n \"enabled\": true,\n \"matchers\": [\n {\n \"fields\": [\"user.role\"],\n \"values\": [\"admin\"]\n }\n ],\n \"filter\": {}\n}\n\n``` \n**- OPTIONAL: You can check what is in the monitoring entity_source\nSO:**\n\n``` \nGET kbn:/api/entity_analytics/monitoring/entity_source/list\n``` \n**4. Initialise monitoring engine:** \n```\nPOST kbn:/api/entity_analytics/monitoring/engine/init {}\n``` \n\n**5. Verify Users in Monitoring Index**\n- Check the list of synced user, should include: \n- - The created users\n- - The default user (if you created it)\n\n```\nGET kbn:/api/entity_analytics/monitoring/users/list\n``` \n\n**e.g. output:**\n\n```\n[\n {\n \"id\": \"FkMJoZcB7muj1aiwb_eQ\",\n \"user\": {\n \"name\": \"C-3PO\",\n \"is_privileged\": true\n },\n \"labels\": {\n \"sources\": [\n \"index\"\n ],\n \"source_indices\": [\n \"tatooine-\"\n ],\n }\n },\n {\n \"id\": \"F0MJoZcB7muj1aiwb_eQ\",\n \"user\": {\n \"name\": \"Chewbacca\", \n \"is_privileged\": true\n },\n \"labels\": {\n \"sources\": [\n \"index\"\n ],\n \"source_indices\": [\n \"tatooine-\"\n ], \n }\n },\n// ... more here \n\n```\n\n## Testing: Removing Stale Users\nThe engine should soft delete users from the internal index if they no\nlonger appear in the synced sources - e.g. label as\nmonitoring.privileged_users: \"not_monitored\"\n**Example:**\n\n- Delete users in index: \n```\nPOST tatooine-/_delete_by_query\n{\n \"query\": {\n \"terms\": {\n \"user.name\": [\"Chewbacca\", \"Han Solo\"]\n }\n }\n}\n\n```\n- re-run engine init\n\n```\nPOST kbn:/api/entity_analytics/monitoring/engine/init\n{}\n```\n-Fetch the updated user list: \n\n```\nGET kbn:/api/entity_analytics/monitoring/users/list\n```\nYou should now only see both Chewbacca and Han Solo are no longer\nprivileged:\n```\n// ..\n{\n \"id\": \"GUMJoZcB7muj1aiwb_eQ\",\n \"user\": {\n \"name\": \"Han Solo\"\n \"is_privileged\": false \n },\n \"labels\": {\n \"sources\": [],\n \"source_indices\": [],\n }\n }\n]\n```\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"e26d309535c1c5c1ebe1b6111e4438e08b065a7f"}},"sourceBranch":"main","suggestedTargetBranches":["9.1"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/227420","number":227420,"mergeCommit":{"message":"[Entity Analytics][Privmon] Use default UUIDs for monitoring source saved objects (#227420)\n\n## Summary\n\nrevert to using the default UUID generation for monitoring data source\nsaved objects and remove any reference to temp-id. Previously we were\ngenerating the ID using the integration name or index name and the\nnamespace, and also overriding this with temp-id.\n\n- remove temp-id refs\n- add ID param to the get and update routes URL\n- Remove the behaviour where the create API will update if the source\nalready exists\n\n## Testing\n\nSteps Taken from\n[#221610](https://github.com/elastic/kibana/pull/221610)\n- Pull branch into local machine\n- Security experimental flag enable: 'privilegeMonitoringEnabled'\n- Start up ElasticSearch and Kibana\n\n**1. Optional - create the default index, this should just skip if you\ndon't make it.**\n\n```\nPOST entity_analytics.privileged_monitoring/_doc\n{\n \"user\": {\n \"name\": \"default name\"\n }\n}\n```\n\n**2. Create test index/ indicies**\n\n```\nPUT /tatooine-\n{\n \"mappings\": {\n \"properties\": {\n \"user\": {\n \"properties\": {\n \"name\": {\n \"type\": \"keyword\",\n \"fields\": {\n \"text\": {\n \"type\": \"text\"\n }\n }\n }\n }\n }\n }\n }\n}\n\n```\n```\nPOST tatooine-/_bulk\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Luke Skywalker\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Leia Organa\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Han Solo\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Chewbacca\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Obi-Wan Kenobi\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Yoda\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"R2-D2\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"C-3PO\" } }\n{ \"index\": {} }\n{ \"user\": { \"name\": \"Darth Vader\" } }\n\n``` \n**3. Register Monitoring Entity Source Saved Objects**\n```\nPOST kbn:/api/entity_analytics/monitoring/entity_source\n{\n \"type\": \"index\",\n \"name\": \"StarWars\",\n \"managed\": true,\n \"indexPattern\": \"tatooine-\",\n \"enabled\": true,\n \"matchers\": [\n {\n \"fields\": [\"user.role\"],\n \"values\": [\"admin\"]\n }\n ],\n \"filter\": {}\n}\n\n``` \n**- OPTIONAL: You can check what is in the monitoring entity_source\nSO:**\n\n``` \nGET kbn:/api/entity_analytics/monitoring/entity_source/list\n``` \n**4. Initialise monitoring engine:** \n```\nPOST kbn:/api/entity_analytics/monitoring/engine/init {}\n``` \n\n**5. Verify Users in Monitoring Index**\n- Check the list of synced user, should include: \n- - The created users\n- - The default user (if you created it)\n\n```\nGET kbn:/api/entity_analytics/monitoring/users/list\n``` \n\n**e.g. output:**\n\n```\n[\n {\n \"id\": \"FkMJoZcB7muj1aiwb_eQ\",\n \"user\": {\n \"name\": \"C-3PO\",\n \"is_privileged\": true\n },\n \"labels\": {\n \"sources\": [\n \"index\"\n ],\n \"source_indices\": [\n \"tatooine-\"\n ],\n }\n },\n {\n \"id\": \"F0MJoZcB7muj1aiwb_eQ\",\n \"user\": {\n \"name\": \"Chewbacca\", \n \"is_privileged\": true\n },\n \"labels\": {\n \"sources\": [\n \"index\"\n ],\n \"source_indices\": [\n \"tatooine-\"\n ], \n }\n },\n// ... more here \n\n```\n\n## Testing: Removing Stale Users\nThe engine should soft delete users from the internal index if they no\nlonger appear in the synced sources - e.g. label as\nmonitoring.privileged_users: \"not_monitored\"\n**Example:**\n\n- Delete users in index: \n```\nPOST tatooine-/_delete_by_query\n{\n \"query\": {\n \"terms\": {\n \"user.name\": [\"Chewbacca\", \"Han Solo\"]\n }\n }\n}\n\n```\n- re-run engine init\n\n```\nPOST kbn:/api/entity_analytics/monitoring/engine/init\n{}\n```\n-Fetch the updated user list: \n\n```\nGET kbn:/api/entity_analytics/monitoring/users/list\n```\nYou should now only see both Chewbacca and Han Solo are no longer\nprivileged:\n```\n// ..\n{\n \"id\": \"GUMJoZcB7muj1aiwb_eQ\",\n \"user\": {\n \"name\": \"Han Solo\"\n \"is_privileged\": false \n },\n \"labels\": {\n \"sources\": [],\n \"source_indices\": [],\n }\n }\n]\n```\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"e26d309535c1c5c1ebe1b6111e4438e08b065a7f"}}]}] BACKPORT--> Co-authored-by: Mark Hopkin <mark.hopkin@elastic.co>
kertal
pushed a commit
to kertal/kibana
that referenced
this pull request
Jul 25, 2025
…aved objects (elastic#227420) ## Summary revert to using the default UUID generation for monitoring data source saved objects and remove any reference to temp-id. Previously we were generating the ID using the integration name or index name and the namespace, and also overriding this with temp-id. - remove temp-id refs - add ID param to the get and update routes URL - Remove the behaviour where the create API will update if the source already exists ## Testing Steps Taken from [elastic#221610](elastic#221610) - Pull branch into local machine - Security experimental flag enable: 'privilegeMonitoringEnabled' - Start up ElasticSearch and Kibana **1. Optional - create the default index, this should just skip if you don't make it.** ``` POST entity_analytics.privileged_monitoring/_doc { "user": { "name": "default name" } } ``` **2. Create test index/ indicies** ``` PUT /tatooine- { "mappings": { "properties": { "user": { "properties": { "name": { "type": "keyword", "fields": { "text": { "type": "text" } } } } } } } } ``` ``` POST tatooine-/_bulk { "index": {} } { "user": { "name": "Luke Skywalker" } } { "index": {} } { "user": { "name": "Leia Organa" } } { "index": {} } { "user": { "name": "Han Solo" } } { "index": {} } { "user": { "name": "Chewbacca" } } { "index": {} } { "user": { "name": "Obi-Wan Kenobi" } } { "index": {} } { "user": { "name": "Yoda" } } { "index": {} } { "user": { "name": "R2-D2" } } { "index": {} } { "user": { "name": "C-3PO" } } { "index": {} } { "user": { "name": "Darth Vader" } } ``` **3. Register Monitoring Entity Source Saved Objects** ``` POST kbn:/api/entity_analytics/monitoring/entity_source { "type": "index", "name": "StarWars", "managed": true, "indexPattern": "tatooine-", "enabled": true, "matchers": [ { "fields": ["user.role"], "values": ["admin"] } ], "filter": {} } ``` **- OPTIONAL: You can check what is in the monitoring entity_source SO:** ``` GET kbn:/api/entity_analytics/monitoring/entity_source/list ``` **4. Initialise monitoring engine:** ``` POST kbn:/api/entity_analytics/monitoring/engine/init {} ``` **5. Verify Users in Monitoring Index** - Check the list of synced user, should include: - - The created users - - The default user (if you created it) ``` GET kbn:/api/entity_analytics/monitoring/users/list ``` **e.g. output:** ``` [ { "id": "FkMJoZcB7muj1aiwb_eQ", "user": { "name": "C-3PO", "is_privileged": true }, "labels": { "sources": [ "index" ], "source_indices": [ "tatooine-" ], } }, { "id": "F0MJoZcB7muj1aiwb_eQ", "user": { "name": "Chewbacca", "is_privileged": true }, "labels": { "sources": [ "index" ], "source_indices": [ "tatooine-" ], } }, // ... more here ``` ## Testing: Removing Stale Users The engine should soft delete users from the internal index if they no longer appear in the synced sources - e.g. label as monitoring.privileged_users: "not_monitored" **Example:** - Delete users in index: ``` POST tatooine-/_delete_by_query { "query": { "terms": { "user.name": ["Chewbacca", "Han Solo"] } } } ``` - re-run engine init ``` POST kbn:/api/entity_analytics/monitoring/engine/init {} ``` -Fetch the updated user list: ``` GET kbn:/api/entity_analytics/monitoring/users/list ``` You should now only see both Chewbacca and Han Solo are no longer privileged: ``` // .. { "id": "GUMJoZcB7muj1aiwb_eQ", "user": { "name": "Han Solo" "is_privileged": false }, "labels": { "sources": [], "source_indices": [], } } ] ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
revert to using the default UUID generation for monitoring data source saved objects and remove any reference to temp-id. Previously we were generating the ID using the integration name or index name and the namespace, and also overriding this with temp-id.
Testing
Steps Taken from #221610
1. Optional - create the default index, this should just skip if you don't make it.
2. Create test index/ indicies
3. Register Monitoring Entity Source Saved Objects
- OPTIONAL: You can check what is in the monitoring entity_source SO:
4. Initialise monitoring engine:
5. Verify Users in Monitoring Index
e.g. output:
Testing: Removing Stale Users
The engine should soft delete users from the internal index if they no longer appear in the synced sources - e.g. label as monitoring.privileged_users: "not_monitored"
Example:
-Fetch the updated user list:
You should now only see both Chewbacca and Han Solo are no longer privileged: